Commit 5bf0f7a0 authored by Gabriel Mazetto's avatar Gabriel Mazetto

Merge branch '250695-make-secret-variable-type-configurable' into 'master'

Make the variable type for the GitLab CI secret configurable

See merge request gitlab-org/gitlab!54858
parents 5d012f5a 0ff59c78
...@@ -23,7 +23,8 @@ ...@@ -23,7 +23,8 @@
} }
}, },
"additionalProperties": false "additionalProperties": false
} },
"^file$": { "type": "boolean" }
}, },
"additionalProperties": false "additionalProperties": false
} }
......
...@@ -8,6 +8,7 @@ type: concepts, howto ...@@ -8,6 +8,7 @@ type: concepts, howto
# Using external secrets in CI # Using external secrets in CI
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
Secrets represent sensitive information your CI job needs to complete work. This Secrets represent sensitive information your CI job needs to complete work. This
sensitive information can be items like API tokens, database credentials, or private keys. sensitive information can be items like API tokens, database credentials, or private keys.
...@@ -116,6 +117,18 @@ After GitLab fetches the secret from Vault, the value is saved in a temporary fi ...@@ -116,6 +117,18 @@ After GitLab fetches the secret from Vault, the value is saved in a temporary fi
The path to this file is stored in a CI/CD variable named `DATABASE_PASSWORD`, The path to this file is stored in a CI/CD variable named `DATABASE_PASSWORD`,
similar to [variables of type `file`](../variables/index.md#cicd-variable-types). similar to [variables of type `file`](../variables/index.md#cicd-variable-types).
To overwrite the default behavior, set the `file` option explicitly:
```yaml
secrets:
DATABASE_PASSWORD:
vault: production/db/password@ops
file: false
```
In this example, the secret value is put directly in the `DATABASE_PASSWORD` variable
instead of pointing to a file that holds it.
For more information about the supported syntax, read the For more information about the supported syntax, read the
[`.gitlab-ci.yml` reference](../yaml/index.md#secretsvault). [`.gitlab-ci.yml` reference](../yaml/index.md#secretsvault).
......
...@@ -4230,7 +4230,7 @@ variables. ...@@ -4230,7 +4230,7 @@ variables.
#### `secrets:vault` **(PREMIUM)** #### `secrets:vault` **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4 and GitLab Runner 13.4.
Use `vault` to specify secrets provided by [Hashicorp's Vault](https://www.vaultproject.io/). Use `vault` to specify secrets provided by [Hashicorp's Vault](https://www.vaultproject.io/).
...@@ -4269,6 +4269,31 @@ job: ...@@ -4269,6 +4269,31 @@ job:
field: password field: password
``` ```
#### `secrets:file` **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
By default, the secret is passed to the job context as a variable of type
[`file`](../variables/index.md#cicd-variable-types). The value of the
secret is stored in a file and the variable `DATABASE_PASSWORD` contains a path to the file.
However, some software does not work with file variables and might require the secret value to be stored
directly in the environment variable. For that case, define a `file` setting:
```yaml
job:
secrets:
DATABASE_PASSWORD:
vault: production/db/password@ops
file: false
```
When you set `file: false`, no files are created for that variable. It contains the secret
itself instead.
The `file` is a setting of the secret, so it belongs directly under the variable
name level and not in the `vault` section.
### `pages` ### `pages`
Use `pages` to upload static content to GitLab. The content Use `pages` to upload static content to GitLab. The content
......
...@@ -11,14 +11,16 @@ module Gitlab ...@@ -11,14 +11,16 @@ module Gitlab
include ::Gitlab::Config::Entry::Configurable include ::Gitlab::Config::Entry::Configurable
include ::Gitlab::Config::Entry::Attributable include ::Gitlab::Config::Entry::Attributable
ALLOWED_KEYS = %i[vault].freeze REQUIRED_KEYS = %i[vault].freeze
ALLOWED_KEYS = (REQUIRED_KEYS + %i[file]).freeze
attributes ALLOWED_KEYS attributes ALLOWED_KEYS
entry :vault, Entry::Vault::Secret, description: 'Vault secrets engine configuration' entry :vault, Entry::Vault::Secret, description: 'Vault secrets engine configuration'
entry :file, ::Gitlab::Config::Entry::Boolean, description: 'Should the created variable be of file type'
validations do validations do
validates :config, allowed_keys: ALLOWED_KEYS, required_keys: ALLOWED_KEYS validates :config, allowed_keys: ALLOWED_KEYS, required_keys: REQUIRED_KEYS
end end
end end
end end
......
...@@ -11,26 +11,47 @@ RSpec.describe Gitlab::Ci::Config::Entry::Secret do ...@@ -11,26 +11,47 @@ RSpec.describe Gitlab::Ci::Config::Entry::Secret do
end end
context 'when entry config value is correct' do context 'when entry config value is correct' do
let(:config) do shared_examples 'configures secrets' do
{ describe '#value' do
vault: { it 'returns secret configuration' do
engine: { name: 'kv-v2', path: 'kv-v2' }, expect(entry.value).to eq(config)
path: 'production/db', end
field: 'password' end
}
} describe '#valid?' do
it 'is valid' do
expect(entry).to be_valid
end
end
end end
describe '#value' do context 'when file setting is not defined' do
it 'returns secret configuration' do let(:config) do
expect(entry.value).to eq(config) {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
end end
it_behaves_like 'configures secrets'
end end
describe '#valid?' do context 'when file setting is defined' do
it 'is valid' do let(:config) do
expect(entry).to be_valid {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
},
file: true
}
end end
it_behaves_like 'configures secrets'
end end
end end
end end
......
...@@ -19,6 +19,7 @@ RSpec.describe Ci::BuildRunnerPresenter do ...@@ -19,6 +19,7 @@ RSpec.describe Ci::BuildRunnerPresenter do
let(:secrets) do let(:secrets) do
{ {
DATABASE_PASSWORD: { DATABASE_PASSWORD: {
file: true,
vault: { vault: {
engine: { name: 'kv-v2', path: 'kv-v2' }, engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db', path: 'production/db',
...@@ -81,6 +82,14 @@ RSpec.describe Ci::BuildRunnerPresenter do ...@@ -81,6 +82,14 @@ RSpec.describe Ci::BuildRunnerPresenter do
end end
end end
end end
context 'File variable configuration' do
subject { presenter.secrets_configuration.dig('DATABASE_PASSWORD') }
it 'contains the file configuration directive' do
expect(subject.fetch('file')).to be_truthy
end
end
end end
end end
end end
...@@ -18,7 +18,8 @@ RSpec.describe API::Ci::Runner do ...@@ -18,7 +18,8 @@ RSpec.describe API::Ci::Runner do
engine: { name: 'kv-v2', path: 'kv-v2' }, engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db', path: 'production/db',
field: 'password' field: 'password'
} },
file: true
} }
} }
end end
...@@ -70,7 +71,8 @@ RSpec.describe API::Ci::Runner do ...@@ -70,7 +71,8 @@ RSpec.describe API::Ci::Runner do
'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' }, 'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' },
'path' => 'production/db', 'path' => 'production/db',
'field' => 'password' 'field' => 'password'
} },
'file' => true
} }
} }
) )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment